If your hashing algorithm isn't capable to hash more than 256 characters in a reasonable time, either the hashing algorithm is bad, the system host is of very poor performance, or you're doing something seriously wrong.
Did you read the previous post in this series? What's your point?
I did, and there are a lot of possible counter-measures to avoid password DoS, such as rate-limiting and upload payload size limit.
My point is that to barr an user to use passphrases or pass files for no reason doesn't make any sense security-wise and doesn't help with any kind of UX.
What would you suggest to be a suitable password max length then?
Your server's max payload upload size limit? Which may be brought down a bit for the authentication routes?
Then divide it by three for password change pages. And then test that it works through every single piece of infra between the edge and your servers. And sure, then you can do that. But is that really adding that much actual security over 256 character passwords?
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.